Bugzilla – Bug 1817
pv bootloader doesn't check the size of the bzip2 or lzma compressed kernel
Last modified: 2012-08-09 22:48:42 CDT
Created attachment 1053 [details]
Description of problem:
The pv bootloader doesn't check the size of a bzip2 or lzma compressed kernel
image. Denial of service can be caused by padding a large file at the end of
the kernel image, which can be used by a malicious domU root.
I have put this bug at redhat bugzilla, no response yet.
Version-Release number of selected component (if applicable):
Fedora 16 with xen-4.1.2 and possibly all the xen versions that support bzip2
and lzma kernels
Steps to Reproduce:
1. compile a bzip2-compressed kernel in a pv domU
2. cat large_file >> vmlinuz
Suppose the /boot section is large enough , the pv guest has 512M memory, and
the host is 64-bit.(The same for 32-bit OS but 32-bit OS can't allocate larger
memory space and open bigger file)
On my machine(a virtual machine in vmware):
The large_file is 9G in size. (I generated it with dd from /dev/zero)
When I allocate 4G memory to dom0 with 4G swap space, the domU can't be started
for lack of memory.
See attachment 1 [details],2 and 3 for more information. The system is busying
swapping but eventually runs out of memory and swap space, causing pygrub
crashing. It takes nearly 10 minutes.
Then I allocate 12G memory to dom0, domU can be started but at a great cost. It
takes nearly 5 minutes. See attachment 4 [details] for more information.
The guest can't be started because it has only 512M memory. (In a real machine
as long as the machine has enough memory , it can be started)
This bug can be used to launch a denial of service attack. If the domU
automatically restart at a xen-tolerant interval(eg. 2 minutes), the resource
will be occupied by this vm for most of the time. Also , it is unfair and not
reasonable to allocate 10G memory just for starting a 512M-memory virtual
In a physical machine or a hvm guest, as long as the kernel image it not bigger
than the maximum memory , then the os can be booted.
As for the gzip-compressed kernel image in a pv-domU,the size is limited to
1G.But this still has the problem, because the dom0 may allocate 512M to start
To make the pv domU more like a real machine, I think the bootloader should not
allocate a memory space larger than the domU has.
Created attachment 1054 [details]
out of memory
Created attachment 1055 [details]
xen-related processes occupy the cpus, and kswapd is busying swapping
Created attachment 1056 [details]
domU boots successfully at a great cost
This has been assigned CVE-2012-2625 by MITRE.
The following is the bug track filed at Red Hat Bugzilla:
Congratulations on your brilliant work!
I am trying to make it work on suse 11.3 + xen 4.0.0, but failed all the time
this is my process, need your advice:
1, set up the XEN, with 2 VM installed
2, downloaded a VM image, run it, OK
xm create -c XX.cfg
3, with dd, I padded the image file to 10GB
dd if=/dev/zero of=./tmp bs=1G count=10
cat ./tmp >> ./XX.img
4, trying to redo step 2
the running is OK, no memory/ CPU peak load
can you tell me where i can improve? thank you in advance
my email is email@example.com